On 2/20/19 5:09 AM, Yassine Chaouche via dovecot wrote:> On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote: >> I have trying to find how to set the dovecot-sql.conf for using >> SHA256/512.? I am going to start clean with the stronger format, not >> migrate from the old MD5.? It seems all I need is: >> [...] default_pass_scheme = SHAxxx-CRYPT [...] > > How do your users change their password ? >Many never do!? Those that do, use the Roundcube plugin, or ask me to change their password via the Postfixadmin manager.? Sigh.> Here's how I configured my roundcube's password plugin to keep things > together ($roundcubefolder/plugins/password/config.php) > > $config['password_algorithm']??????? = 'dovecot'; > $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; > $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; > $config['password_query']??????????? = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1"; > > I left other fields alone. > > Yassine. >Thanks much better info than I was seeing in my googling.? Except I would not use %p: // The SQL query used to change the password. // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password // %c is replaced with the crypt version of the new password, MD5 if available // otherwise DES. // %D is replaced with the dovecotpw-crypted version of the new password // %o is replaced with the password before the change // %n is replaced with the hashed version of the new password // %q is replaced with the hashed password before the change // %h is replaced with the imap host (from the session info) // %u is replaced with the username (from the session info) // %l is replaced with the local part of the username // (in case the username is an email address) // %d is replaced with the domain part of the username // (in case the username is an email address) %D seems to be what I want... And in mysql, I believe the table is mailbox. $rcmail_config['password_query'] = "UPDATE mailbox SET password = %D, modified = NOW() WHERE username = %u"; I got from: https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/ thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190220/c60d6701/attachment.html>
On 2/20/19 3:28 PM, Robert Moskowitz via dovecot wrote:> >> Here's how I configured my roundcube's password plugin to keep things >> together ($roundcubefolder/plugins/password/config.php) >> >> $config['password_algorithm']??????? = 'dovecot'; >> $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; >> $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; >> $config['password_query']??????????? = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1"; >> >> I left other fields alone. >> >> Yassine. >> > Thanks much better info than I was seeing in my googling.? Except I > would not use %p: > > // The SQL query used to change the password. > // The query can contain the following macros that will be expanded as > follows: > // %p is replaced with the plaintext new password > // %c is replaced with the crypt version of the new password, MD5 if > available > // otherwise DES. > // %D is replaced with the dovecotpw-crypted version of the new password > [...] > > %D seems to be what I want... >the rcmail_config[] syntax you pasted in your mail indicates you're using a very old version of roundcube. Here's the relevant content of my version of the password plugin : // The SQL query used to change the password. // The query can contain the following macros that will be expanded as follows: //????? %p is replaced with the plaintext new password //????? %P is replaced with the crypted/hashed new password //???????? according to configured password_method [...} // Deprecated macros: //????? %c is replaced with the crypt version of the new password, MD5 if available //???????? otherwise DES. More hash function can be enabled using the password_crypt_hash //???????? configuration parameter. //????? %D is replaced with the dovecotpw-crypted version of the new password [...] Notice the difference b/w %p and %P. Also notice that %D is marked as deprecated.> And in mysql, I believe the table is mailbox. >Oh that depends entirely on your choice of naming and what table structure you have chosen.> > I got from: > https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/ >Ah, it seems Aki and I have already visited this link before ^^' Yassine. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190220/684c84e7/attachment.html>
I am trying to use the checkpassword authentication (https://wiki.dovecot.org/AuthDatabase/CheckPassword) I do have a working checkpassword program. The protocol expects to received on fd 3 the following: username<nul>password<nul>optionalstuff</null> I find that this works properly and the program can authenticate if the client is using PLAIN LOGIN. Both username and password are sent on fd3. But, if the client has specified kerberos/gssapi authentication then only the username is passed to checkpassword. The following is a debug dump from checkpassword showing the input read on fd 3 (12 bytes): len 12: 636861726d61696e65000000 charmaine... User: [charmaine], PW: [] Without a password, checkpassword returns failure. I am running dovecot in a Samba4 Active Directory. I have some email clients that use kerberos/GSSAPI (Thunderbird) and some that can only use PLAIN LOGIN (Outlook). All users, however, are active directory domain users and all could potentially authenticate with AD credentials. I was hoping to use checkpassword for this. Otherwise, every user who cannot authenticate via kerberos/GSSAPI has to also be in the mail server's /etc/passwd file with the same ID/PW as their AD credentials, which become a bit of a pain when the user changes his domain password. Why does not dovecot pass to checkpassword the user's password? When I tried this a few years ago I thought it did. If checkpassword fails, why does it not then try the kerberos/GSSAPI mechanism? Is there a solution to this? THX --Mark